By Vidya Murthy
In many ways, life in the U.S. is slowly returning post COVID-19.
Even with delta variants, unvaccinated numbers, and perhaps rushed openings, people are yearning for a semblance of normalcy. The same is true for our healthcare workers, systems, devices, and patients. But we would be fooling ourselves if we didn’t acknowledge that some things have been irreversibly changed.
This goes beyond day to day life and applies to the cybersecurity of our infrastructure, in particular focusing on medical devices. Below are 5 lessons that we should all consider in the new-way of operating:
Lesson 1: Connectivity requires security.
Telehealth services took center stage during COVID. Devices in healthcare delivery organizations (HDOs) became connected to deliver additional clinical functionality for patients who couldn’t see their doctors ini person. Post-COVID, clinicians can now track patient adherence using a phone-based app that syncs to a device while patients can receive care from the convenience of their homes without having to travel. Electronic health records can be rapidly shared across a care team ensuring care is planned with all the data available. These have been incredible advancements for patients and clinicians. But this connectivity was not designed with security in mind.
Now don’t get me wrong - healthcare as an industry should focus on healthcare. Not on becoming security experts. But the reliance on technology will never go away - it has improved diagnostic capabilities, given us new treatment options, reduced time, effort, and risk for patients. Therefore, we must make the security component of this process a positive experience for the user and/or patient, as that can mean the difference between the success or failure of a cyber criminal.
With every additional connected point, a potential new threat is introduced which must be understood, mitigated as necessary and managed over time.
Lesson 2: As attackers move up the supply chain, so must defenders.
Increasingly, there have been wide-spread, deeply embedded vulnerabilities emerging from the hacker community (ex. Ripple/20,Bluekeep, WannaCry). If we think of hacking as a business, the return on investment for a systemic issue that spans devices & industries vs. an idiosyncratic one in a single device in a single instance, is obvious math.
Attackers have seemingly limitless budgets as spending is estimated to reach $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. We see defenders' security investment around the $100B space with pretty steady increases by 10%. Recent news of Solarwinds by Microsoft showed it took more than 1,000 engineers to create. Is there ANY organization that can compete with the resources attackers have?
Defenders must work smarter to defend their assets. This means as attackers move up the supply chain, so must defenders.
Lesson 3: Plan. Practice. Persist.
Prior to connecting anything to a network, we have to understand the impact of that decision. In effect, as defenders, we have to look at the full picture by threat modeling to build a plan of action. By understanding the potential threats based on the attack surface, whether as a device manufacturer, healthcare delivery organization or vendor of security services, this will enable building a plan of action to mitigate potential threats.
Once a plan has been developed it is equally important that it be understood, ingrained in day-to-day operations, and regularly reviewed. As attackers change, so must the defense. And we must be honest with ourselves - things aren’t going to be perfect. Where there are setbacks and misses, take the opportunity to build, enhance, and re-educate.
Lesson 4: Design with security in mind.
First and foremost - I want to make it clear that I believe user training has a place and purpose. We cannot let our people proceed in a connected world without guidance and support. However, if I can’t train an algorithm to identify a potentially malicious email, is it really fair to expect an end-user to detect that malicious email?
The danger I see is that healthcare constantly blames the user/patient. Whether it’s patient adherence, login/password management, or phishing failures, this isn’t an industry that has historically optimized for easing the user experience. It goes to my earlier point - we optimize for patient outcomes.
Therefore we must design devices to be secure, starting at the inception of the device.Our systems must grow to prioritize reducing the extent of reliance on users against unknown threats. Note the nuance: I’m not saying the user doesn’t know how to use the device. I’m saying with tech, there will always be unknowns and there will always be weaknesses. The best systems are those which do not rely on the user as the detection, and more importantly in patient care, the efficacy of a device. We must be intentional and prioritize designing security into devices if we are to ever change the landscape of cyberthreats in healthcare.
Lesson 5: Don’t go at it alone.
Medical device security is absolutely a unique environment - with complex networks, various entities involved, and complicated asset management requirements. It is absolutely essential that security be built for the clinical use case. However, building a comprehensive security solution from scratch is time consuming, requires expertise likely not within the organization, and requires bandwidth to maintain over the lifetime of a device.
Relying on a third-party can address core cybersecurity requirements, but some may argue there are too many tools that insufficiently “solve” a problem. I agree - more tools doesn’t equal better security. Similar to the hospital setting, alarm fatigue from too many tools can result in missing an important alert. Tool sprawl is real and can definitely be detrimental to an organization’s ability to secure critical assets. However, that doesn’t mean everything should be built in house and no experts should be used.
As the range of technical diversity faced has grown exponentially, it is increasingly difficult to secure all the things. Once upon a time there was one mainframe, green screen, and printer, there's now innumerable client access methods, networking, remote connectivity, security, storage, server infrastructures, virtualization, and so forth.
Leveraging an expert in security build for healthcare can relieve the mounting necessity for building devices secure by design.
There are several guidelines out there (the HSCC, JSP, NCCOE, TIR-57) on how to pursue this, but it’s important to remember there is no one standard to rule them all.
We’ve seen from the idiosyncratic progress to date, we haven’t made sufficient progress. Medical device development must undergo a systemic change in how it manages cybersecurity risk for the collective to benefit.
Cybersecurity costs are managed most efficiently when integrated into core business decisions. Moreover, in an efficient economy, access to cybersecurity expertise is the way to ensure efficient and effective solutions that persist the lifetime of a device.
But for our community to have any chance at combating the mounting security debt, malicious actors in our ecosystem, and increasingly complex value delivery systems, we must begin with devices that are proactively secure by expert solutions.
On net: there’s truly good ways to create more good with less; but to get there, we have to do things differently than we have in the past.
About the author: Vidya Murthy is a hands-on leader who is passionate about her people and community. Prior to joining MedCrypt as VP of operations, she worked for global medical device manufacturer Becton Dickinson. Vidya holds an MBA from the Wharton School.